 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence of events involving computers and information Computer Forensics2

 Locard's Exchange Principle  Postulated by Edmond Locard  Director of the first crime laboratory in existence (Lyon, France)  States that everywhere you go  You take something with you -AND-  You leave something behind  Used in the world of traditional forensics  Piece the artifacts together for attribution  Collect corroborating evidence  Applies to computer forensics as well Computer Forensics3

 Disk forensics  Hard drives and other storage media  Network forensics  Log files  Network traffic  Memory forensics  Capture the contents of RAM and analyze  Mobile device forensics  Cell phones  PDA's  iPods  GPS devices Computer Forensics4

 Investigations generally progress in a certain manner  Three stages:  Acquisition  Analysis  Reporting  Each step is critical to an investigation  Must be carried out in a sound manner  Investigative work must be capable of being repeated by an independent investigator Computer Forensics5

 Collection of evidence  Evidence must be properly preserved  Chain of custody  Create a copy of the original evidence  All investigative work done on the copy  Create a logical image  Copy of files on the hard drive  Create a physical image  Exact mirror of the storage device (at the bit level)  Create a hash of the original evidence  Prove that evidence has not been tampered with  All actions (through reporting) should be logged Computer Forensics6

 Evidence examined and information extracted from the data  Basis for the report  Construct a timeline of events  Attempt to reconstruct the event using all available evidence  Must convert date/time stamps into a common time  Hash evidence periodically to ensure you aren’t changing it  Evidence MUST NEVER BE ALTERED  Often set media to read-only to prevent inadvertent changes  Consider additional evidence that must be collected Computer Forensics7

 Communicate the findings  Should be organized, concise, and UNBIASED  Adjudication venue will dictate format  Criminal court vs. internal investigation  Should include  Executive summary (easy to understand version of findings)  Timeline of events  Hashes of evidence  Unbiased detailed findings Computer Forensics8

 Registry analysis (Windows)  File carving  Recovery of deleted files  Crack passwords/defeat encryption  Examine log files  Establish patterns/determine deviations from norms  Run images in virtual machine  Observe behavior  Memory capture/analysis  See what was running on the machine Computer Forensics9

 Web browser forensics  History, cache, stored passwords, cookies, etc.  Examine hard drive using a live CD  Usually Linux distribution  Examine hard drive without booting the machine  Packet capture analysis  Router span port or intrusion detection system  analysis  Determine user activities  Search for hidden or encrypted files, steganography, alternate data streams  Create network map Computer Forensics10

 Writing over existing data with "junk" data  Re-format the drive  Software “file-shredders”  Magnetically degaussing the hard drive with a degausser  Giving the hard drive an acid bath.  Damaging the disk with fire…destruction is the only guarantee… Computer Forensics11

Computer Forensics12